Jump to content

Security concern with use of BB-Code, htmlenities, and array_flip()


terungwa
Go to solution Solved by Jacques1,

Recommended Posts

In the bulletin board, that i am designing, I have included a bbcode script shown below. Also, I am using htmlentities to sanitize user input. However for the user-submitted code (via use of bbcode tag) to be printed out when a user views the topics page, I had to implement array_flip() which is capable of reversing the text-to-HTML translation achieved with htmlentities().

 

My question is, does this sequence of operation compromise the site and is there a better way of doing this?

 

htmlentities

$post_content= htmlentities(stripslashes($_POST['post_content']));

bbcode script.

function phpbbcode($s)
{
    $s = str_replace("]\n", "]", $s);
    $match = array('#\[php\](.*?)\[\/php\]#se');
    $replace = array("'<span>'.highlight_string(stripslashes('$1'), true).'</span>'");
    return preg_replace($match, $replace, $s);
}

array_flip Script.

$text=$comments_row['post_content'];
$entities = get_html_translation_table(HTML_ENTITIES);
$translate = array_flip($entities);
$new_text=strtr($text, $translate);

echo $new_text;
Edited by terungwa
Link to comment
Share on other sites

  • Solution

This is a massive security hole, because the “e” modifier can be used by visitors to run arbitrary PHP code. Please read the warnings in the manual:

 

http://php.net/manual/en/reference.pcre.pattern.modifiers.php#reference.pcre.pattern.modifiers.eval

 

In general, I strongly recommend you keep away from any home-made BBCode implementation. Almost every attempt I've seen so far ended up with all kinds of cross-site scripting vulnerabilities or worse. Use an established library. What about this one?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.